Learn here about the possible sequence of ISO 27001/22301 implementation and see what are the important decision criteria.

Implementing ISO management system standards, even with the help of toolkits and consultants may be a challenging task. In practice, sometimes it seems appropriate to enhance preparedness and protection in several areas of an organization, covering multiple processes and disciplines. While a security oriented approach may demand an immediate protection from a great variety of threats is desirable (i.e simultaneous implementation of both standards at the same time), practical limitations most often demand a sequential approach (i.e. implementation of the first of the two standards, then the other).

When to implement information security first

This might be the conclusion in IT-heavy industries in trade and service-oriented organizations. If the main deliverables of such an organization predominantly are services and not physical products, this might be an indication that information technology is crucially important for providing added value.

… information technology is crucially important

Examples might be telecommunication companies, financial institutions, insurance companies, e- commerce sites, etc. These organizations have in common that information processing and storage are extremely important for the operation. Loss or leakage of information, non-availability of information or loss of integrity of information must be prevented in order to create value for customers and preserve trust in the organization.

As there is a trend to an increasing threat landscape to data and information assets (willful, intentional interference with and destruction of these assets), such as denial to sites, blockage of access, data theft and/or blackmailing, putting more weight and priority on information security as a precautionary measure will be ever more important in the future.

When to implement business continuity first

In industries and organizations where information processing is a necessary backbone of the operation, but where an impact analysis reveals that important processes and resources (supporting key products and services) depend on other inputs than IT only, we face a different challenge. Just “fixing” IT or information security may leave many other processes and resources vulnerable to non-IT-related threats.

practical limitations most often demand a sequential approach

If we choose to have a closer look at a typical manufacturing company, even before performing a business impact analysis, we see processes of raw materials or half-finished goods flowing into the production site, we see the production facilities at the heart of the organization, and there is a flow of products to storage facilities (warehousing) and/or just-in-time shipping to customers or subsequent manufacturing facilities. While this process in most cases is support by IT resources, there are certainly other threats to this production process. In a nutshell, the organization depends on suppliers and a supply chain, the production and warehousing facilities might be endangered by fire, flood, sabotage, etc., and the delivery supply chain as well needs to be secured.

If operating in an area experiencing an increase in natural hazards, such as storms, fires or floods, an immediate implementation of business continuity measures might be of prime importance. The same holds true if a threat and vulnerability analysis has shown that the organization is going to experience increased threats from physical sabotage or terrorism.

When to implement both management systems simultaneously?

If your organization does not clearly fall into one of the categories as described above (or if you just can’t decide) you might try a combined implementation. While this sounds crazy and overwhelming in the first place, there are obvious synergies trying to run a simultaneous implementation.

Just “fixing” IT leave many other processes and resources vulnerable

Why? Modern ISO system management standards have been designed as to be nearly identical in structure. For example, the main headings of the standards are generic and simply do not reveal the flavor of system management standard we are facing. This means that the procedures to follow the implementation are very similar and implementing two standards in a quasi-simultaneous way results in a significantly reduced implementation effort. On top of that modern implementation tools and toolkits offer excellent support for implementation management.

How to decide?

In case an organization faces a multitude of non-IT threats (each of them being capable to stop operations), and if your IT is just supporting your business processes, you might obtain more “bang for the buck” focusing on implementing business continuity management, based on ISO 22301.

modern implementation tools and toolkits offer excellent support for implementation

On the other hand, if you’re not offering any physical deliverables, but you just deal with digital products, and information technology processes are the heart of your organization – you rather implement an Information Security Management System according to ISO 27001 as soon as reasonably possible.

Most organizations fall somewhere in the middle, which means that implementing a BCMS with a comprehensive treatment of information security issues might constitute a completely reasonable approach after all.